---
description: Hasura Cloud and Hasura Enterprise multiple JWT Secrets
title: 'Cloud Professional & Enterprise Edition: Multiple JWT Secrets'
keywords:
  - hasura
  - docs
  - cloud
  - enterprise
  - security
  - allow
  - multiple
  - JWT
  - secrets
sidebar_position: 60
sidebar_label: Multiple JWT Secrets
sidebar_class_name: cloud-and-enterprise-icon
---

import HeadingIcon from '@site/src/components/HeadingIcon';
import ProductBadge from '@site/src/components/ProductBadge';

# Multiple JWT Secrets

<ProductBadge pro ee self />

## Introduction

You can configure GraphQL Engine with a list of JWT secrets. This enables you to authenticate with different JWT
issuers.

## How to use

Multiple JWT secrets can be provided in the env var `HASURA_GRAPHQL_JWT_SECRETS` which takes a list of JWT secret
objects.

For example:

```json
[
  { "jwk_url": "https://...", "issuer": "myapp" },
  { "type": "HS256", "key": "3EK6FD...", "issuer": "test" }
]
```

The structure of an individual JWT secret is described [here](/auth/authentication/jwt.mdx#configuring-jwt-mode).

:::info Note

If both `HASURA_GRAPHQL_JWT_SECRET` and `HASURA_GRAPHQL_JWT_SECRETS` are set, then `HASURA_GRAPHQL_JWT_SECRETS` will be
used.

:::

## Resolution logic

The authentication is resolved as follows:

1. Bearer tokens are extracted from headers or cookie locations (as configured by each JWT secret)
2. Tokens are filtered to ensure that the **issuer** field matches the configuration, or that the issuer is absent
   either from the configuration or the token.
3. If no matching tokens are found then the unauthenticated flow is performed (depends on
   [HASURA_GRAPHQL_UNAUTHORIZED_ROLE](/auth/authentication/unauthenticated-access.mdx)).
4. If multiple matching tokens are found then an error is raised as the desired token is ambiguous.
5. If only one matching token is found then it is verified against the corresponding configured secret.
